What key phrases do people scan log files for? At our site, we log everything we can to a central "more secure" logging server. We divide our logging up into three files: SYSLOG.mail for all mail, SYSLOG.auth for authentication, and SYSLOG for everything else. On our IRIX 5.3 systems, I've found that searching for the following are helpful : VRFY /usr/adm/*SYSLOG.mail check mail logs for VRFY commands EXPN /usr/adm/*SYSLOG.mail check mail logs for EXPN commands " command " /usr/adm/*SYSLOG.mail check mail logs for debug/wiz commands deni /usr/adm/*SYSLOG.auth check for denied net cmds in SYS LOG fail /usr/adm/*SYSLOG.auth check for failed login attempts (passwords at the login prompt; brute force attacks, etc) Does anyone have other things you look for on a regular basis? I'm eventually hoping that we'll start using one of the log filter packages out there on the net. Anyone compared the various log filtering packages out there? Do any of the packages come with preset standard patterns to search for? Thanks! --- Mike Kienenberger Arctic Region Supercomputing Center Systems Analyst (907) 474-6842 mkienenb@arsc.edu http://www.arsc.edu